You are here

Building More Trust in the Cloud

Evelyn is a data center and cloud security evangelist for the Security Technology Group at Cisco Systems responsible for championing holistic and next generation security solutions. She co-chairs the Cloud Security Alliance Cloud Controls Matrix (CCM) and is focused on harmonizing efforts across industry initiatives such as the Open Data Center Alliance (ODCA). Follow her on Twitter @e_desouza.

Companies are beginning to realize the economic advantages of cloud computing and are increasingly turning to cloud services. Despite this cloud-friendly shift in thinking, most organizations still harbor concerns about the security of cloud infrastructures.

Our economy relies heavily on a variety of sophisticated networks. As our global population continues to evolve, we develop complicated networked technologies — such as the cloud — to meet changing demands.

But security is challenged by threats such as privacy, the misuse of intellectual property, malicious modification or replacement of technology and counterfeiting. One of the biggest reasons for organizations’ delaying a migration to the cloud is the perceived loss of control over corporate data. When storing information on cloud servers, key components of the IT infrastructure are moved beyond the reach of internal IT personnel.

Additionally, organizations that must meet government regulations may lose needed oversight of controlled data. Many IT teams are concerned that the cloud infrastructure — to the extent that it is not maintained or monitored by internal IT staff — runs the risk of downtime and unauthorized access.

Incorporating Trust into the Cloud

At its core, cloud computing requires that an IT department — and by extension, the organization and end users — must trust that the cloud service provider has safeguarded the entire supply chain from the organization’s own vendors to the end product.

Without that level of confidence, IT administrators often fear that with less oversight of computing systems, they can’t demonstrate that the hardware is running properly, or even that the infrastructure is running within certain geographic bounds.

Having trustworthy systems in place can satisfy these concerns.

First, trustworthy systems can offer attestation or assurance that services, workloads and servers are running within certain geographic bounds. Second, the principles of trustworthy systems can be used as guidelines to provide assurance, and not just a state-in-time assurance, but real-time attestation that services are functioning securely; effectively eliminating the fear that malware is potentially making its way into the hardware layer and tampering with routers.

The cloud development community must employ secure design principles and have a comprehensive understanding of advanced coding practices. It must perform threat modeling and vulnerability testing, as well as confirm that extensive product security requirements are met.

These requirements create a framework from which cloud developers can develop trustworthy systems.

The Role of Vendor Reputation

When companies select a cloud vendor for security and critical infrastructure, they often base purchasing decisions on reputation and technical qualifications. More recently, a vendor’s evolving security approach and procurement process have begun to play an increasingly essential role.

Trusting a system requires confidence in the technologies on which it is built and the individuals who developed those technologies. Due to limited resources, past practices, government requirements or inexperience, not all vendors are qualified, willing or capable of developing trustworthy systems.

Vendors with proven track records, advanced security development and the foundation to support international security efforts in a transparent manner are often the most qualified to develop trustworthy systems.

Considering a Trustworthy Cloud Provider

Organizations should meticulously evaluate prospective cloud service providers to determine whether the best security practices are employed. Specifically, organizations should verify the degree of visibility and control, including:

The cloud provider’s reputation with respect to trustworthiness

The extent to which real-time assurance can be provided

Looking Ahead

Many organizations have been holding back from adopting a cloud computing strategy due to a lack of trust. Moving forward, cloud security vendors must have a system in place to immediately alleviate a potential customer’s concerns regarding the lack of visibility over infrastructure and data.

Simply put, a customer needs the same level of confidence and trust in the cloud infrastructure that it has behind the firewalls in its own enterprise. Organizations will soon recognize that cloud computing offers a cost-benefit that is hard to ignore.

A company interested in the cost savings to be realized through cloud computing can employ the best practices outlined above to assess the trustworthiness of a potential cloud partner, and take advantage of the economic benefits of cloud computing with confidence.